Microsoft Gets Security Religion, Part 3
In his memo on Trustworthy Computing, Gates says that ideal computer systems should be as reliable as services such as electricity, water and telephones. Doc Searls made the very astute observation that these services are infrastructure, and has this to say:
Interesting. Those other services are infrastructural. Significantly, their workings are transparent. There is no secret to how any of them work. (Even digital telephony.) As de facto infrastructure, Windows is anomalous in its lack of transparency.
He has a point here. You can easily look up documents on electric generation plant, water pumping stations and telephone company switches; you can even take tours of these facilities. You can’t do that with Windows, because beyond a certain point, its inner workings are hidden to anyone not working at Microsoft. We programmers can only go as far as the API — the Application Program Interface, the thing that allows our programs to use the services provided by Windows. Even then, Microsoft supposedly doesn’t make their entire API known; it gives them an edge over everyone else when it comes to writing software for Windows.
With real-world infrastructural services like electricity and water, the inner workings are subject to scrutiny. You can hire an independent engineering firm to do an audit of a power plant to see that it’s being properly run and maintained. You can’t do that with Windows since it’s a black box. The underlying code has always been unavailable to the general public, and only recently has it been made available to select business partners through its “shared source” program.
By choosing to develop OS X on a transparent base – Darwin, which is BSD on a Mach kernel. [It’s open source, which means that the source code — the “recipe”, if you will — is free available for any to read or modify — Joey]. Apple respected the essentially infrastructural nature of operating systems, and the need for transparency at that level. I was talking with an Apple guy who works on OS X last night, and he was going on about the synergy between the company and outside Darwin hackers who shared an interest in improving Darwin as base-level infrastructure. Also about what Apple is giving back to the world in its work on FireWire, for example.
I think, in the long run, Microsoft would be wise to do the same, at least if it wants to maintain Windows’ infrastructural role.
It sounds like a good idea, but will Microsoft do it?
More on infrastructure
Thinking of software as infrastructure led me to think of other properties of “real-world” infrastructure and whether or not software infrastructure has something comparable.
Real-world infrastructural services are accountable to the public and to the government. When blackouts like those that happened last year in Califonia happened, there was a public outcry and action on the part of the state and federal goverments. When operating systems fail, there’s some public outcry that gets a token response from the software company’s tech support and marketing departments and almost nothing the government can do. When you rip open the packaging of your operating system, you are “signing” a EULA (End User Licensing Agreenment) which pretty much absolves the software company of any blame for anything bad the software does. Certain EULAs go even father — the EULA for Microsoft SQL Server (it’s database software) expressly forbids you from publishing performance data comparing it to other database software, or even data comparing SQL Server on different versions of Windows!
Real world infrastructure often has to meet some kind of safety standard, There are building codes, standards for electrical and chemical safety, government bodies like the FCC (Federal Communications Commision) and NTSB (National Travel Safety Board) and independent organizations like Underwriter’s Laboratories that perform safety and standards tests on real-world products. With software, you’re relying on the diligence of your software vendor’s QA department.
Real-world infrastructural services are usually designed by accredited engineers who are members of professional societies (in the case of Ontario, Canada, where I live, it’s the PEO — Professional Engineers of Ontario). Programming isn’t a profession, and many programmers out there taught themselves rather than going to University and majoring in computer science. I’m not saying being self-taught is necessarily a bad thing; many great programmers out there didn’t major in computer science or even go to university. However, accreditation fosters accountability, which is a neccesity when making infrastructure.
Real-world infrastructural services can be proven to work on paper. We have sufficient math to prove that a bridge or building design will work (and we also have thousands of years’ experience in making them, too), or that a chemical reaction will happen just a expected in a factory or that electricty will flow from point A to point B at the expected voltage and current. However, computer science is still a young field; the definition of what is computable didn’t come up until the 1930’s, and von Neumann didn’t come up with the guiding principle behind machines today until the 1940’s, and we didn’t have ENIAC until the 1950’s. We can’t prove that a piece of software will work without taking a ridiculously long time: for example, the math required to prove that a simple program adds two numbers correctly takes up two pages of legal foolscap (that was a question on one of my final exams).
Software is becoming infrastructure, but it doesn’t yet have the constraints that infrastructure needs. What we call “software engineering” is far from real engineering, in spite of the fact that we’re beginning to rely on it as much as other infrastructure that is engineered. As developers, we’re going to have to meet the challenge of turning computer science from its current hodge-podge state into a true engineering discipline; as consumers and citizens, we’re going to have to demand it from developers, software vendors and bodies like the ACM (Association for Computing Machinery).
Then, we may have a decent shot at Trustworthy Computing.